Google blocked my site because malicious

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
Ooops
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Dec 05, 2012 3:31 pm

Google blocked my site because malicious

Post by Ooops » Tue Jan 13, 2015 11:04 pm

So, my friend's site (hosted on my account) is blocked by google. It uses Joomla 1.5, probably very outdated.

I've run the FPA tool and the result is below.

I suppose I should update joomla to the latest 1.5 version but I don't know if it's advisable to do so before solving the problem first.

I appreciate all the help I can get.

Thank you very much.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 13th January 2015 wrote:#5 /home4/xa4/public_html/yaya/libraries/joomla/e in /home4/xa4/public_html/yaya/plugins/system/plugin_googlemap3_helper.php on line 1434
Forum Post Assistant (v1.2.4) : 13th January 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 1.5.25-Stable (senu takaa ama mamni) 14-November-2011
Joomla! Configured :: Yes | Read-Only (444) | Owner: xa4 (uid: 1/gid: 1) | Group: xa4 (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.12.35.1418868451 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home4/xa4/public_html/yaya | System TMP Writable: Yes

PHP Configuration :: Version: 5.2.17 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 6135 | Log Errors To: error_log | Last Known Error: 05th December 2014 08:15:07. | Register Globals: 1 | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.40-36.1 (Client:5.5.40-36.1) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 7.10 MiB | #of Tables:  122
Detailed Environment :: wrote:PHP Extensions :: date (5.2.17) | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | curl () | dbase () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | session () | iconv () | standard (5.2.17) | json (1.2.1) | mbstring () | mcrypt () | mhash () | mime_magic (0.1) | mssql () | mysql (1.0) | SimpleXML (0.1) | odbc (1.0) | posix () | pspell () | Reflection (0.1) | imap () | SPL (0.2) | mysqli (0.1) | soap () | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tidy (2.0) | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.8.11) | cgi-fcgi () | magickwand (1.0.8) | imagick (3.0.1) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | SQLite (2.0-dev) | pdo_mysql (1.0.2) | SourceGuardian (8.2) | ionCube Loader () | Zend Optimizer () | Zend Engine (2.2.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: home/ (777) | home/xa4/ (777) | home/xa4/public_html/ (777) | home/xa4/public_html/yaya/ (777) | home/xa4/public_html/yaya/images/ (777) | home/xa4/public_html/yaya/images/stories/ (777) | images/remote/ (777) | images/stories/images/ (777) | images/stories/images/stories/ (777) | images/thumbnails/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: User (1.5.0) | Wrapper (1.5.0) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.0.4) | WF_POPUPS_WINDOW_TITLE (2.0.4) | WF_POPUPS_WIDGETKIT_TITLE (2.0.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.0.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.0.4) | WF_LINKS_JOOMLALINKS_TITLE (2.0.4) | WF_AGGREGATOR_[youtube]_TITLE (2.0.4) | WF_AGGREGATOR_VIMEO_TITLE (2.0.4) | WF_SPELLCHECKER_TITLE (2.0.4) | WF_SEARCHREPLACE_TITLE (2.0.4) | WF_MEDIA_TITLE (2.0.4) | WF_NONBREAKING_TITLE (2.0.4) | WF_FULLSCREEN_TITLE (2.0.4) | WF_PRINT_TITLE (2.0.4) | WF_LINK_TITLE (2.0.4) | WF_DIRECTIONALITY_TITLE (2.0.4) | WF_BROWSER_TITLE (2.0.4) | WF_CLEANUP_TITLE (2.0.4) | WF_TEXTCASE_TITLE (2.0.4) | WF_PREVIEW_TITLE (2.0.4) | WF_LAYER_TITLE (2.0.4) | WF_ARTICLE_TITLE (2.0.4) | WF_VISUALCHARS_TITLE (2.0.4) | WF_INLINEPOPUPS_TITLE (2.0.4) | WF_IMGMANAGER_TITLE (2.0.4) | WF_SOURCE_TITLE (2.0.4) | WF_XHTMLXTRAS_TITLE (2.0.4) | WF_TABLE_TITLE (2.0.4) | WF_STYLE_TITLE (2.0.4) | WF_AUTOSAVE_TITLE (2.0.4) | WF_PASTE_TITLE (2.0.4) | WF_CONTEXTMENU_TITLE (2.0.4) | MailTo (1.5.0) |
Components :: ADMIN :: AcyMailing (3.0.0) | AcyMailing Tag : Subscriber in (3.0.0) | AcyMailing Tag : Manage the Su (3.0.0) | AcyMailing : (auto)Subscribe d (3.0.0) | AcyMailing Tag : Website links (3.0.0) | AcyMailing Tag : Date / Time (3.0.0) | AcyMailing Tag : Joomla User I (3.0.0) | AcyMailing : trigger Joomla Co (3.0.0) | AcyMailing Manage text (1.0.0) | AcyMailing Module (3.0.0) | AcyMailing Template Class Repl (3.0.0) | AcyMailing Tag : CB User infor (3.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing : Statistics Plugin (3.0.0) | AcyMailing Tag : content inser (3.0.0) | Template Manager (1.5.0) | Ozio Gallery 2 (2.6) | AZ Content List (1.5.2) | Language Manager (1.5.0) | Contact Items (1.0.0) | Custom Properties (1.98.3.3) | User Manager (1.5.0) | Banners (1.5.0) | Menus Manager (1.5.0) | Control Panel (1.5.0) | Configuration Manager (1.5.0) | Plugin Manager (1.5.0) | Media Manager (1.5.0) | Frontpage (1.5.0) | artgeotag (1.0) | JCE (2.0.4) | Editor - JCE (2.0.4) | Unknown (-) | Installation Manager (1.5.0) | Cache Manager (1.5.0) | Polls (1.5.0) | FLEXIcontent (1.5.4 stable ) | Content Page (1.5.0) | Weblinks (1.5.0) | Mass Mail (1.5.0) | Module Manager (1.5.0) | AceSearch (1.5.6) | Menus (1.5.0) | Polls (1.5.0) | Plugins (1.5.0) | Components (1.5.0) | Banners (1.5.1) | News Feeds (1.5.1) | Web Links (1.5.1) | Users (1.5.0) | Modules (1.5.0) | Content (1.5.1) | JComments (2.2.0.2) | Trash (1.0.0) | EventList (1.0.1) | Newsfeeds (1.5.0) | Search (1.5.0) | Sobi2 (2.9.3.2) | Messaging (1.5.0) | Linkr (2.3.9) |

Modules :: SITE :: JComments Latest (2.5.6) | ContentMap (1.0.0) | MG Banner position (1.5.0) | Joomla 1.5 HTML Module (1.5.0) | Banner (1.5.0) | Poll (1.5.0) | Search (1.0.0) | Menu (1.5.0) | RS-Exhibition (1.0) | Who\'s Online (1.0.0) | mod_coinslider (1.4.3) | Bouton facebook like (1.0) | Archived Content (1.5.0) | Most Read Content (1.5.0) | ITPFacebookLikeBox (1.2) | Random Image (1.5.0) | Sections (1.5.0) | Captify Content (1.1.8) | Breadcrumbs (1.5.0) | Article Scroller (1.0.0) | Article Intro (1.0.0) | Stalker (1.2.3) | Latest News (1.5.0) | Joomulus (04.10) | JLvotes Top rated articles (1.0) | Udjamaflip's Automated Tag Clo (0.9 BETA) | PixSearch (0.5.1) | Art Total Menu (1.6.7) | PGT SocialWeb (1.1.0) | Face FanBox or LikeBox (1.5.1.0) | Article List (1.0.3) | simpleForm2 (1.0.18) | ARI Ext Menu (2.0.8) | RS-FlashMatic (1.3) | Random Anything (0.1) | Camp26 FishEye Menu (1.3) | Facebook Share (1.0.1) | Joes Word Cloud (1.5.3) | RandArticles (1.5.1) | Kwick Sliding 1.5 (1.2) | Tweet Display Back (-) | Tweet Display Back (2.1.4) | Zoom Info (1.7) | June Link Ball (1.0.0) | Daily Pop Up (1.6) | Custom Properties Tags Cloud (1.98.3.3) | Syndicate (1.5.0) | Wrapper (1.0.0) | Random News with Intro (1.0.0) | Statistics (1.5.0) | System (1.0.0) | Vertical scroll recent article (2.0) | Easytagcloud (2.0 for J1.5) | Related Items (1.0.0) | XpertScroller (1.3) | Twitter Feed (1.0.0a) | AcyMailing Module (3.0.0) | Slide Menu (1.5.0) | GTranslate (1.5.x.24) | db8 Best Rated Content (2.0) | Footer (1.5.0) | Feed Display (1.5.0) | 1901 LikeBox (1.5.x.x) | RSform! Frontend List (1.0.4) | Spearhead Facebook Like Button (3.5.1) | CustoMenu (2.6.4) | Newsflash (1.5.0) | ITPShare (1.7) | ITPSocialButtons (1.7) | Latest News Scroller (1.5.0) | FL Latest Articles (1.5) | Login (1.5.0) | Custom HTML (1.5.0) | Custom Properties Searchbox (1.98.2) | Random Article links (1.0) | RSform! (1.0.4) |
Modules :: ADMIN :: Unread Items (1.0.0) | Quick Icons (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | AceSearch (1.5.0) | AceSearch - Quick Icons (1.5.0) | Items Stats (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Footer (1.0.0) | Admin Menu (1.0.0) | Feed Display (1.5.0) | Login Form (1.0.0) | Custom HTML (1.5.0) |

Plugins :: SITE :: Authentication - OpenID (1.5) | Authentication - Example (1.5) | Authentication - LDAP (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Search - Categories (1.5) | Search - FLEXIcontent (1.0) | Search - Sections (1.5) | Search - Content (1.5) | Search - CP Tags (1.98) | Search - JComments (1.0) | Search - Weblinks (1.5) | Search - Newsfeeds (1.5) | Search - Contacts (1.5) | Fly06 Modules Search Plugin (2.0 Beta) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) | Button - Readmore (1.5) | Button - Custom Properties Tag (1.98) | Button - Pagebreak (1.5) | Editor Button - JComments OFF (1.0) | Button - Image (1.0.0) | Editor Button - Linkr (2.3.9) | Button - Modules Anywhere (1.13.3) | Editor Button - JComments ON (1.0) | AcyMailing Tag : Manage the Su (3.0.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Template Class Repl (3.0.0) | AcyMailing Tag : content inser (3.0.0) | AcyMailing : Statistics Plugin (3.0.0) | AcyMailing Tag : CB User infor (3.0.0) | AcyMailing Tag : Date / Time (3.0.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Website links (3.0.0) | AcyMailing Tag : Joomla User I (3.0.0) | AcyMailing : trigger Joomla Co (3.0.0) | AcyMailing Tag : Subscriber in (3.0.0) | ImageSizer (1.5.2) | Sharable (1.0.3) | Content - ExtraVote (1.4) | Content - Page Navigation (1.5) | Accordion Menu Apple style (1.5.12) | NiftyBox (1.04) | RS-Exhibition (1.0) | Content - WMT Like It Plugin (1.0.6) | fboxbot (1.2) | Content - Vote (1.5) | Content - Example (1.0) | Content - Facebook Like And Sh (4.7) | Content - ContentMap (1.0.3) | Dione Image Wizard (2.1.10) | Custom Properties Tags Plugin (1.98.1) | Content - Pagebreak (1.5) | Dione Simple Rating (1.0.2) | Content - ITPSocialButtons (1.7) | Content - Linkr (2.3.9) | Content - JComments (1.0) | chronoforms (V4 RC1.8) | Content - Load Modules (1.5) | load module into article (1.1.0) | Content - Email Cloaking (1.5) | plg_content_mavikthumbnails (0.9.9.8) | Content - Bottombox (1.0) | Content - Core Design Ajax Vot (1.0.8) | Content - Face ArtLike button (1.5) | Admiror Frames Plugin (0.3) | Content - VOTItaly (JOOMItaly) (1.2) | Content - Code Highlighter (Ge (1.5) | Content - Tooltip GC (2.0) | Content - OzioGallery2 (1.0) | User - Example (1.0) | User - JComments (1.0) | User - Joomla! (1.5) | System - SEF (1.5) | System - Mobile Templates Plug (1.0) | System - FLEXIcontent advanced (1.0) | AcyMailing : (auto)Subscribe d (3.0.0) | System - Mouse Over Zoom (1.2.0) | System - JXtended Libraries (1.0.12) | System - RD Cloud Zoom v1.4 (1.4) | jDownloads - System Plugin (1.1) | System - Legacy (1.5) | Abivia.net SuperTable Plugin (1.3.6) | System - NoNumber! Framework (11.11.3) | System - BIGSHOT Google Analyt (1.7) | System - FLEXIcontent (1.1) | Google Maps (2.17) | System - Log (1.5) | System - JComments (1.0) | System - Modules Anywhere (1.13.3) | System - JB Library (2.1.4) | System - Asynchronous Google A (2.5.2) | System - Backlinks (1.5) | System - Debug (1.5) | System - AutoFacebook (1.0) | System - Remember Me (1.5) | System - NoNumber! Elements (11.11.3) | System - Google Maps (3.1) | Ulti Polaroid (1.1.1) | System - Mootools Upgrade (1.5) | System - Cache (1.5) | JComments - Avatar (3.1) | FLEXIcontent - Select Multiple (1.0) | FLEXIcontent - Select (1.0) | FLEXIcontent - Checkbox (1.0) | FLEXIcontent - Minigallery (1.0) | FLEXIcontent - Article toolbar (1.2) | FLEXIcontent - Linkslist (1.0) | FLEXIcontent - Extended Weblin (1.0) | FLEXIcontent - Image (1.0) | FLEXIcontent - Text (1.0) | FLEXIcontent - Weblink (1.0) | FLEXIcontent - Load Module (1.1) | FLEXIcontent - Page Navigation (1.1) | FLEXIcontent - Date (1.0) | FLEXIcontent - Email (1.0) | FLEXIcontent - Textarea (1.0) | FLEXIcontent - Core Fields (1.0) | FLEXIcontent - Checkbox image (1.0) | FLEXIcontent - Radio Image But (1.0) | FLEXIcontent - Radio Buttons (1.0) | FLEXIcontent - File (1.0) | Editor - JCE (2.0.4) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) |
Templates Discovered :: wrote:Templates :: SITE :: javanya (1.0.5) | tw_keepitsimple (1.0) | jm-rabbit (1.0.0) | themza_j15_13 (1.0.0) | siteground-j15-165 (1.0.0) | jm-creative (1.0.0) | tj_happiness (1.0.0) | jm-jewellry (1.0.0) | cloudscape_joohopia (1.0.0) | water_stone_001 (1.0) | Echse_V3_Free_Version (3.0) | portfolio (1.0.0) | Black Eyed Susan (1.0.1) | jm-designlab (1.0.0) | bc_luminity (1.0) | beez (1.0.0) | Nature with animated header (1.0) | Zen (1.0) | jm-rainbow (1.0.0) | jm-green (1.0.0) | vino_flash_V1 (2.4) | PavlinStyle (1.0.0) | rhuk_milkyway (1.0.2) | themza_j15_21 (1.0.0) | jb_power_tools (1.0) | a4joomla-Minimalist-F3-free (1.0) | 68portal (1.5) | News Flash (1.0) | siteground-j15-58 (1.0.0) | jm-green-leaves (1.0.0) | Startup Blue (1.0) | JM-simple1 (1.0.1) | siteground-j15-12 (1.0.0) | siteground-j15-75 (1.0.0) | fooloo (1.0) | addaman (1.0) | jm_experts6 (1.5) | themza_j15_42 (1.0.0) | jm_mica (1.0.1) | axe_rescheek (1.0.0) | Avantgarde (1.2) | BJ_Venus (1.5.0) | Space (1.1) | Fitness_V1 (3.0) | Greeble Surrealism (1.0) | grewloo2 (1.0) | tem_highergrounds (1.0) | Keepitsimple (1.0.0) | massarbeit (1.0) | JA_Purity (1.2.0) | wd_counterstrike (1.0) | siteground-j15-17 (1.0.0) | 123wd-j15-5 (1.0.0) | a4joomla-Business-free (1.0) |
Templates :: ADMIN :: Khepri (1.0) |
Last edited by mandville on Thu Jan 15, 2015 11:51 am, edited 1 time in total.
Reason: disabled smilies

Ooops
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Dec 05, 2012 3:31 pm

Re: Google blocked my site because malicious

Post by Ooops » Tue Jan 13, 2015 11:06 pm

I should add that it's not the first time it happened as I had the same message at the very end of 2014. my hosting provider had scanned the site at the time and supposedly solved the problem and a re-scan by google lifted the blacklist, but now it's back, so I suppose the webhost didn't solve the cause of the problem.

this is the detail I get from google by the way:
Safe Browsing
Diagnostic page for youpiwine.com

What is the current listing status for youpiwine.com?
Site is listed as suspicious - visiting this website may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 96 pages we tested on the site over the past 90 days, 87 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-01-13, and the last time suspicious content was found on this site was on 2014-12-30.
This site was hosted on 1 network(s) including AS20013 (CYRUSONE).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, youpiwine.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Centre.
I find it strange that google said the last suspicious activity was 12/30/2014 (before they lifted the fisrst blacklist) and now it's blacklisted again. But why would they do so if no new suspicious activity was detected ?

I've also checked the website in Google's Webmaster tools, and this is the suspicious snippet
[can't post it apparently]. but it involves a script tag and proquinta something url.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Google blocked my site because malicious

Post by mandville » Thu Jan 15, 2015 11:55 am

your site was not properly cleaned last time.
you have out of date joomla, loads of out of date extensions and incorrect permissions,

[ ] Ensure you have the latest version of Joomla for your version of Joomla. Delete all files in your Joomla installation, saving a copy of the configuration.php file.

[ ] Review Vulnerable Extensions List to make sure any 3rd party extensions versions used appear on the vulnerable list.

[ ] Review and action Security Checklist 7 Make sure you've gone through all of the steps.

[ ] Scan all machines with FTP, Joomla super admin, and Joomla admin access for malware, virus, trojans, spyware, etc. Checklist 7 contains a list or recommended scanners.

[ ] Change all passwords and if possible user names for the website host control panel. Change the Joomla database user name and password.

[ ] Use proper permissions on files and directories. They should never be 777, ideal is 644 for files and 755 for directories. The configuration file can be set to 444 which is read only.

[ ] Check your htaccess for for any odd code (i.e. code which is not in the standard htaccess supplied as part of the Joomla installation).

[ ] Check the crontab or Task Scheduler for unexpected jobs/tasks.

[ ] Ensure you do not have anonymous ftp enabled.

[ ] Verify individually that any non-Joomla file such as but not limited to that will be placed back on the website such as images, pdf files, files for download, and other documents and files are valid and are supposed to be part of your website.

[ ] Replace the deleted files with fresh copies of a current full version of Joomla (minus the installation directory) you downloaded earlier. Install freshly downloaded copies of any extensions and templates used on the site. If the Joomla database user name and password were changed earlier, then make the necessary changes to the configuration.php file and upload a copy to the website. Upload any non-Joomla files that are necessary for your website. Only by replacing all files in the installation (including extensions and templates) can you be sure to remove the backdoors inserted and hidden in various files and directories More detailed information can be found in the Security Checklist 7 document.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security in Joomla! 1.5”